Tiered Administration Model
The tiered administration model splits your AD environment into three trust zones so a compromised workstation can never cascade into full domain compromise.
When one admin account can log into everything — workstations, servers, and Domain Controllers — a single compromised laptop can give an attacker the keys to the entire kingdom. The tiered administration model prevents this by creating three separate zones. Tier 0 is the control plane: Domain Controllers, AD CS, and synchronization tools. Tier 1 is the management plane: application servers and databases. Tier 2 is the access plane: user workstations and laptops. Each tier gets its own dedicated admin accounts and Privileged Access Workstations (PAWs). A Tier 2 helpdesk admin literally cannot log into a Domain Controller — the credentials do not have permission.
Imagine a bank with three floors: the ground floor is the public lobby where customers walk in (Tier 2 — workstations), the second floor holds the safe-deposit boxes accessible only to vetted staff (Tier 1 — servers), and the underground vault stores the gold reserves behind a separate key (Tier 0 — Domain Controllers). Each floor has its own keycards. A janitor's lobby keycard cannot open the vault elevator. The tier model works the same way: each tier has dedicated admin credentials that physically cannot be used on other tiers.
Try It Yourself
Key Takeaways
- The tier model creates three trust zones: Tier 0 (DCs/identity), Tier 1 (servers), Tier 2 (workstations).
- Each tier uses dedicated admin accounts and Privileged Access Workstations (PAWs).
- Tier 0 credentials must NEVER touch Tier 1 or Tier 2 systems.
- Enforcement uses GPO logon restrictions, authentication silos, and network segmentation.
- Without tier isolation, a single compromised workstation can cascade to full domain compromise.
Most real-world AD compromises follow the same path: phish a user → steal cached admin creds from their workstation → pivot to servers → find DA creds → own the domain. The tier model breaks this chain at every step.